Emva konyaka wophuhliso ukukhutshwa kweprojekthi , ebonelela ngemodyuli yetoliki ye-PHP7 ukuphucula ukhuseleko lokusingqongileyo kunye nokuthintela iimpazamo eziqhelekileyo ezikhokelela kubuthathaka ekusebenziseni izicelo ze-PHP. Imodyuli ikwavumela ukuba wenze ukuphelisa iingxaki ezithile ngaphandle kokutshintsha ikhowudi yomthombo wesicelo esisengozini, ekulungele ukusetyenziswa kwiinkqubo zokubamba ngobuninzi apho kungenakwenzeka ukugcina zonke izicelo zomsebenzisi zihlaziyiwe. Iindleko eziphezulu zemodyuli ziqikelelwa ukuba zincinci. Imodyuli ibhaliwe kwi-C, idibaniswe ngendlela yelayibrari ekwabelwana ngayo ("extension=snuffleupagus.so" kwi php.ini) kunye inikwe ilayisenisi phantsi kwe-LGPL 3.0.
I-Snuffleupagus inikezela ngenkqubo yemithetho evumela ukuba usebenzise iitemplates eziqhelekileyo ukuphucula ukhuseleko, okanye udale imithetho yakho yokulawula idatha yokufaka kunye neeparitha zokusebenza. Umzekelo, umgaqo othi βsp.disable_function.function(βsystemβ).param(βcommandβ).value_r(β[$|;&`\\n]β).drop();β ikuvumela ukuba unciphise usebenziso lweempawu ezikhethekileyo kwindlela () iimpikiswano zomsebenzi ngaphandle kokutshintsha isicelo. Iindlela ezakhelwe ngaphakathi zibonelelwa ukubhloka iiklasi zobuthathaka njengemiba, ngolandelelwano lwedatha, ukusetyenziswa kweposi ye-PHP () umsebenzi, ukuvuza kwemixholo yeCookie ngexesha lohlaselo lwe-XSS, iingxaki ngenxa yokulayisha iifayile ngekhowudi ephunyeziweyo (umzekelo, kwifomathi ), umgangatho ombi wokwenza amanani random kunye Ulwakhiwo olungalunganga lwe-XML.
Iindlela zokuphucula ukhuseleko lwe-PHP ezibonelelwa nguSnuffleupagus:
- Yenza ngokuzenzekelayo iiflegi "ezikhuselekileyo" kunye "nesamesite" (ukhuseleko lweCSRF) kwiiKuki, i-cookie;
- Isethi yemithetho eyakhelwe-ngaphakathi ukuchonga imikhondo yokuhlaselwa kunye nokuthotyelwa kwezicelo;
- Ukunyanzeliswa kusebenze kwihlabathi jikelele "" (umzekelo, ibhloka inzame yokuchaza umtya xa ulindele ixabiso elipheleleyo njengempikiswano) kunye nokhuseleko ngokuchaseneyo. ;
- Ukuvala ngokungagqibekanga (umzekelo, ukuvalwa "phar://") ngoluhlu lwabo olumhlophe olucacileyo;
- Ukuthintelwa kokusetyenziswa kweefayile ezibhaliweyo;
- Uluhlu olumnyama nolumhlophe lwe-eval;
- Kuyafuneka ukuze kukhangelwe isatifikethi se-TLS xa usebenzisa
umjikelo - Ukongeza i-HMAC kwizinto ezilandelelanayo zokuqinisekisa ukuba i-deserialization ifumana kwakhona idatha egcinwe sisicelo sokuqala;
- Imo yesicelo sokuloga;
- Ukuthintela ukulayishwa kweefayile zangaphandle kwi-libxml ngokusebenzisa amakhonkco kumaxwebhu e-XML;
- Ukukwazi ukudibanisa abaphathi bangaphandle (upload_validation) ukujonga kunye nokuskena iifayile ezilayishiwe;
Phakathi kukhupho olutsha: Inkxaso ephuculweyo ye-PHP 7.4 kunye nokuzalisekiswa kokuhambelana kunye nesebe le-PHP 8 ekuphuhlisweni ngoku.Ukongeza amandla okungena kwimicimbi nge-syslog (i-sp.log_media Directive indululwa ukuba ibandakanywe, engathatha iphp okanye ixabiso le-syslog). Isethi engagqibekanga yemithetho ihlaziywe ukubandakanya imithetho emitsha yobuthathaka obuchongiweyo obutsha kunye neendlela zokuhlasela ngokuchasene nezicelo zewebhu. Inkxaso ephuculweyo ye-macOS kunye nokusetyenziswa okwandisiweyo kweqonga lokudibanisa eliqhubekayo esekwe kwiGitLab.
umthombo: opennet.ru